The expected events are as follows:
- All security related events
- All individual user accesses to sensitive data.
- All actions taken by any individual with root or administrative privileges.
- Access to all audit trails.
- Invalid logical access attempts.
- Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges.
- Initialization, stopping, or pausing of the audit logs.
- Creation and deletion of system-level objects.